Advanced Profiling in ClearPass 6.6.2

“Malware spawns botnet in 25,000 connected CCTV cameras” was the title of a recent SC magazine article. And this wasn’t just a theoretical threat, it was found because a DDoS attack crippled the network of a “brick and mortar” jewelry store that brought their network to its knees while also propagating malware into the network. This is what now keeps IT awake at night — securing IoT devices that do not have embedded security.

In order to solve this problem, all network devices need to be identified, profiled, and enforced with a policy manager that gives you the flexibility to treat devices differently. You also need the ability to leverage 3rd party solutions like firewalls and SIEM to monitor and contain threats that emanate from devices that are acting abnormally.

If IT would have been able to identify the spike in traffic on the CCTV camera ports, they would have been able to mitigate the problem before it was too late – this would require a capability called NMAP Port Scanning.

Using traditional network discovery methods

Traditional network discovery (Figure 1, 2) and profiling are passively applied through the use of DHCP fingerprinting –whenever an endpoint on the network is in an active communication mode, data can be gathered for profiling (Figure 3). For this reason, we recently introduced a Network Discovery feature and built-in NMAP Port Scanning.

Using the network discovery within ClearPass, you initially configure a “seed” switch to find the other elements on the network, and other switches and endpoints on the network will be discovered. By capturing the MAC address and IP address of these devices by reading the ARP table, this and other profiling information can be found about the device, like category, type, and OS. This can be a limitation of basic fingerprinting, though. Figure 3 and 4 show you basic attributes, but Figure 5 displays that extra value gained from using NMAP port scanning.

Basic profiling is good to initially discover and profile endpoints on the network and apply a policy to control them, but to mitigate our real life breach as indicated above there would need to be more granular information to identify what devices or services that were on the ports are being targeted. This is where the Nmap scanning comes into play. We automatically help you identify differences in similarly like devices.

Figure 1. Basic Network Discovery – Initially Identify Switches

Figure 2. Basic Network Discovery – Fingerprint Endpoints

Figure 3. Endpoint Discovery with DHCP

Figure 4. Fingerprint Details of Same MAC with DHCP

Here’s why more detailed fingerprinting helps

In the breach mentioned above with the CCTV camera, more than traditional discovery is required to identify devices to take accurate mitigation steps. This unmanaged device must be profiled, ports that are being used identified, and the services they are using are added. This granular data can be tied back to the existing security infrastructure and enforcement capabilities within the ClearPass Policy manager.

Active scanning using SNMP provides more information for non-traditional BYOD devices that are easier to fingerprint, but with ClearPass, we now have the ability to do active NMAP scanning, which can better identify “hard to fingerprint” devices, like IoT on the network. IT now has an improved way to accurately profile devices that are new and not commonly known.

Figure 5: Fingerprint Details with NMAP Port Scanning

With this more granular context, ClearPass can leverage its policies and third party point security integration with security infrastructures such as SIEM, perimeter firewalls, and deception devices, and these types of breaches can be stopped before creating extensive damage.

Technically, these infected devices are not IOT devices, they are cheap consumer devices. IOT devices are more generally process control/environmental monitoring/actuator type devices, rather than consumer cameras and routers.